Saltar a contenido

Cheatsheet de CyberChef

butbutton onclick="navigator.clipboard.writeText(document.querySelector('.cheatsheet-content').innerText)" class="copy-btn" confianza> Copiar todos los comandos CyberChef realizadas/button confidencial

########################################################################################################################################################################################################################################################## Generar CyberChef PDF Guía =

■/div titulada

CyberChef es una aplicación web para encriptación, codificación, compresión y análisis de datos. Conocido como "The Cyber Swiss Army Knife", permite a los analistas de seguridad realizar transformaciones complejas de datos a través de una sencilla interfaz de arrastrar y soltar, lo que lo hace invaluable para el análisis de malware, forenses y desafíos de CTF.

Instalación y configuración

Web Application

** Acceso en línea:**

# Official hosted version
https://gchq.github.io/CyberChef/

# Alternative mirrors
https://cyberchef.org/
https://icyberchef.com/

Instalación local

Instalación de muelles:

# Pull official Docker image
docker pull mpepping/cyberchef

# Run CyberChef locally
docker run -d -p 8080:8080 mpepping/cyberchef

# Access at http://localhost:8080

Node.js Instalación:

# Clone repository
git clone https://github.com/gchq/CyberChef.git
cd CyberChef

# Install dependencies
npm install

# Build application
npm run build

# Start development server
npm start

# Access at http://localhost:8080

Standalone Ejecutible: #

# Download pre-built releases
wget https://github.com/gchq/CyberChef/releases/download/v9.55.0/CyberChef_v9.55.0.zip

# Extract and run
unzip CyberChef_v9.55.0.zip
cd CyberChef_v9.55.0
python3 -m http.server 8080

Interface Overview

Componentes principales

**Grupo de destinatarios: # - Drag operations from the operations list - Configurar parámetros de operación - Operaciones de reordenamiento arrastrando - Guardar y cargar recetas

** Grupo de información** - Datos de entrada de sabor o tipo - Cargar archivos (drag y drop) - Cargar datos de URLs - Opciones de formato de entrada (texto, hex, base64)

** Panel de Producto** - Ver resultados de transformación - Descarga la salida como archivo - Copiado para el portapapeles - Opciones de formato de salida múltiple

Operaciones Lista: - Operaciones de búsqueda por nombre - Examine por categoría - Favoritos para acceso rápido - Historial de operaciones recientes

Codificación y Decodificación

Operaciones de Base64

Base64 Código:

Operation: To Base64
Input: Hello World
Output: SGVsbG8gV29ybGQ=

# With custom alphabet
Operation: To Base64
Alphabet: Custom
Input: sensitive data

Base64 Decode:

Operation: From Base64
Input: SGVsbG8gV29ybGQ=
Output: Hello World

# Handle invalid characters
Operation: From Base64
Remove non-alphabet chars: true

Variedades básicas:

# Base32 encoding
Operation: To Base32
Input: Hello World
Output: JBSWY3DPEBLW64TMMQ======

# Base58 encoding (Bitcoin)
Operation: To Base58
Input: Hello World
Output: JxF12TrwUP45BMd

# Base85 encoding
Operation: To Base85
Input: Hello World
Output: 87cURD]j7BEbo80

URL Codificación

URL Encode:

Operation: URL Encode
Input: hello world!@#$%
Output: hello%20world%21%40%23%24%25

# Encode all characters
Operation: URL Encode
Encode all chars: true

Decodificación:

Operation: URL Decode
Input: hello%20world%21%40%23%24%25
Output: hello world!@#$%

Codificación HTML

HTML Entity Encode:

Operation: To HTML Entity
Input: <script>alert('XSS')</script>
Output: &lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;

# Named entities only
Operation: To HTML Entity
Named entities: true

HTML Entity Decode:

Operation: From HTML Entity
Input: &lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;
Output: <script>alert('XSS')</script>

Cifrado y descifrado

Cifrado simétrico

Encryption:

Operation: AES Encrypt
Mode: CBC
Key: 16-byte key here
IV: 16-byte IV here
Input: Secret message
Output: Encrypted data

# Different modes
Mode: ECB, CBC, CFB, OFB, GCM
Key format: Hex, UTF8, Latin1, Base64

AES Decryption:

Operation: AES Decrypt
Mode: CBC
Key: 16-byte key here
IV: 16-byte IV here
Input: Encrypted data
Output: Secret message

DES/3DES:

Operation: DES Encrypt
Mode: CBC
Key: 8-byte key
IV: 8-byte IV
Input: Data to encrypt

Operation: Triple DES Encrypt
Mode: CBC
Key: 24-byte key
IV: 8-byte IV

Funciones de Hash

*Common Hashes: #

# MD5 Hash
Operation: MD5
Input: Hello World
Output: b10a8db164e0754105b7a99be72e3fe5

# SHA-1 Hash
Operation: SHA1
Input: Hello World
Output: 0a4d55a8d778e5022fab701977c5d840bbc486d0

# SHA-256 Hash
Operation: SHA2
Size: 256
Input: Hello World
Output: a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e

HMAC:

Operation: HMAC
Hash function: SHA256
Key: secret-key
Input: message to authenticate
Output: HMAC value

Contraseña Cracking

Hash Analysis:

Operation: Analyse hash
Input: 5d41402abc4b2a76b9719d911017c592
Output: Possible hash types: MD5, NTLM

# Hash identifier
Operation: Hash identifier
Input: $2b$12$...
Output: bcrypt hash detected

Ataque Diccionario

# Generate wordlist
Operation: Generate wordlist
Type: Bruteforce
Charset: abcdefghijklmnopqrstuvwxyz
Min length: 4
Max length: 8

# Compare with hash
Operation: Compare hashes
Hash type: MD5
Target hash: 5d41402abc4b2a76b9719d911017c592

Análisis de datos

Análisis de texto

Análisis de la frecuencia

Operation: Frequency distribution
Input: ATTACKATDAWN
Output: Character frequency chart

# Letter frequency analysis
Operation: Chi squared
Input: Encrypted text
Output: Chi-squared values for different shifts

** Análisis de la entropía**

Operation: Entropy
Input: Random data vs compressed data
Output: Entropy value (0-8 bits)

# Detect compression/encryption
High entropy (>7): Likely encrypted/compressed
Low entropy (``<4): Likely plain text

Extracción de cuerda:

Operation: Strings
Min length: 4
Input: Binary file data
Output: Printable strings

# Extract specific patterns
Operation: Regular expression
Pattern: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\{2,\\\}
Input: Text with email addresses

Análisis binario

Hex Operations:

Operation: To Hex
Delimiter: Space
Input: Hello World
Output: 48 65 6c 6c 6f 20 57 6f 72 6c 64

Operation: From Hex
Delimiter: Auto
Input: 48656c6c6f20576f726c64
Output: Hello World

** Operaciones financieras**

Operation: To Binary
Delimiter: Space
Input: Hello
Output: 01001000 01100101 01101100 01101100 01101111

# XOR operations
Operation: XOR
Key: secret
Key format: UTF8
Input: Data to XOR

Análisis de archivos

Operation: File type
Input: File header bytes
Output: Detected file type

# Extract file signatures
Operation: Extract file paths
Input: Binary data
Output: Embedded file paths

# Detect embedded files
Operation: Binwalk
Input: Firmware or binary file
Output: Embedded file locations

Análisis forense y malware

Análisis de redes

Operaciones de Dirección de IP:

Operation: Parse IP range
Input: 192.168.1.0/24
Output: List of IP addresses

# GeoIP lookup
Operation: GeoIP lookup
Input: 8.8.8.8
Output: Location information

# DNS operations
Operation: DNS over HTTPS
Query type: A
Domain: example.com

Análisis:

Operation: URL decode
Input: Encoded URL
Output: Decoded URL

# Parse URL components
Operation: Parse URI
Input: https://example.com:8080/path?param=value
Output: Protocol, host, port, path, query

# Defang URLs
Operation: Defang URL
Input: http://malicious-site.com
Output: hxxp://malicious-site[.]com

Análisis de registros

Log Parsing:

Operation: Parse log file
Format: Apache Common Log
Input: 127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326

# Extract timestamps
Operation: Extract dates
Input: Log entries with various date formats
Output: Standardized timestamps

# Parse Windows Event Logs
Operation: Parse Windows Event Log
Input: XML event log data
Output: Structured event information

** Análisis de tiempo**

Operation: Sort
Sort by: Timestamp
Input: Multiple log entries
Output: Chronologically sorted events

# Time zone conversion
Operation: Change datetime format
Input format: DD/MM/YYYY HH:mm:ss
Output format: ISO 8601
Timezone: UTC

Steganography

Estanografía de imagen:

Operation: Extract LSB
Input: Image file
Bit plane: 0 (LSB)
Output: Hidden data

# Extract EXIF data
Operation: Extract EXIF
Input: JPEG image
Output: Metadata information

# Image analysis
Operation: View Bit Plane
Bit: 0
Input: Suspicious image
Output: LSB visualization

Text Steganography:

Operation: Detect hidden text
Method: Zero-width characters
Input: Text with hidden content
Output: Extracted hidden message

# Whitespace steganography
Operation: Whitespace
Action: Decode
Input: Text with hidden whitespace patterns

Cryptanalysis

Cifras clásicas

Cifra de César: #

Operation: ROT13
Input: HELLO WORLD
Output: URYYB JBEYQ

# Variable rotation
Operation: Caesar cipher
Amount: 7
Direction: Encrypt
Input: ATTACK AT DAWN
Output: HAAHJR HA KHDV

** Cifras de sustitución:**

Operation: Substitution cipher
Plaintext alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ciphertext alphabet: ZYXWVUTSRQPONMLKJIHGFEDCBA
Input: HELLO
Output: SVOOL

# Atbash cipher
Operation: Atbash cipher
Input: HELLO WORLD
Output: SVOOL DLIOW

**Vigenère Cipher: #

Operation: Vigenère encode
Key: SECRET
Input: HELLO WORLD
Output: ZINCS AIDVN

# Vigenère decode
Operation: Vigenère decode
Key: SECRET
Input: ZINCS AIDVN
Output: HELLO WORLD

Cryptanalysis moderna

Análisis de la frecuencia

Operation: Frequency distribution
Show percentages: true
Input: Encrypted text
Output: Character frequency analysis

# Index of Coincidence
Operation: Index of Coincidence
Input: Ciphertext
Output: IC value (indicates monoalphabetic vs polyalphabetic)

Key Recovery:

Operation: Kasiski examination
Input: Vigenère ciphertext
Output: Probable key lengths

# Brute force Caesar
Operation: ROT13 brute force
Input: Encrypted text
Output: All possible rotations

Automatización y scripting

Creación de recetas

Save Recipes:

# Create reusable recipes
1. Build operation chain
2. Click "Save recipe"
3. Name and describe recipe
4. Share recipe link

# Example: Malware deobfuscation recipe
Operations:
1. From Base64
2. Gunzip
3. From Hex
4. AES Decrypt (key: known_key)

**Recipe Sharing: #

# Share via URL
Recipe URL contains encoded operations
Example: https://gchq.github.io/CyberChef/#recipe=To_Base64('A-Za-z0-9%2B/%3D')

# Export/Import recipes
File format: JSON
Contains: Operations, parameters, input/output

Procesamiento de lotes

** Entradas mínimas:**

# Process multiple files
1. Upload multiple files
2. Apply recipe to all
3. Download results as ZIP

# Batch text processing
Input: Multiple lines of data
Recipe: Applied to each line
Output: Processed results

Scripts de automatización:

// CyberChef API usage (Node.js)
const chef = require("cyberchef");

// Create recipe
const recipe = new chef.Recipe(
    new chef.operations.ToBase64(),
    new chef.operations.MD5()
);

// Process data
const result = chef.bake("Hello World", recipe);
console.log(result.toString());

Técnicas avanzadas

Operaciones de aduana

** Operación Mágica**

Operation: Magic
Input: Unknown encoded data
Output: Automatically detected and decoded

# Intensive mode
Intensive: true
Extensive language support: true
Depth: 3 (number of operations to try)

** Operación de tenedor**

Operation: Fork
Split on: \n (newline)
Merge: true
Input: Multiple lines of data
Recipe: Applied to each line separately
Output: Combined results

Visualización de datos

** Generación de arte:**

Operation: Scatter chart
X values: Column 1
Y values: Column 2
Input: CSV data
Output: Interactive scatter plot

# Hex dump visualization
Operation: To Hexdump
Width: 16
Upper case: true
Include ASCII: true

** Diagramas de red:**

Operation: Generate network diagram
Input: Network connection logs
Output: Visual network topology

# Timeline visualization
Operation: Timeline
Date field: timestamp
Event field: event_type
Input: Log data with timestamps
```_

## Ejemplos de integración

### SIEM Integración

** Integración simplificada**
```bash
# Use CyberChef for data preprocessing
# Example: Decode base64 logs before indexing

# Splunk search command
|eval decoded_data = base64decode(encoded_field)
|eval hash_value = md5(decoded_data)

# CyberChef recipe equivalent:
# 1. From Base64
# 2. MD5

ELK Stack Integration:

\\\{
  "processors": [
    \\\{
      "script": \\\{
        "source": "ctx.decoded = Base64.getDecoder().decode(ctx.encoded_field)"
      \\\}
    \\\}
  ]
\\\}

Threat Intelligence

Extracción de COI:

# Extract indicators from reports
Recipe:
1. Regular expression (IP addresses)
2. Regular expression (Domain names)
3. Regular expression (File hashes)
4. Defang URLs
5. Format as CSV

Input: Threat intelligence report
Output: Structured IOC list

** Análisis de Malware**

# Deobfuscate malware samples
Recipe:
1. From Base64
2. Gunzip
3. From Hex
4. XOR (key: 0x42)
5. Extract strings
6. Regular expression (URLs/IPs)

Input: Obfuscated malware
Output: Deobfuscated code with IOCs

CTF and Challenges

Common CTF Recetas

# Multi-layer encoding
Recipe:
1. From Base64
2. URL Decode
3. From Hex
4. ROT13
5. Atbash cipher

# Steganography analysis
Recipe:
1. Extract LSB
2. From Binary
3. Gunzip
4. From Base64

# Cryptanalysis chain
Recipe:
1. Frequency distribution
2. Index of Coincidence
3. Kasiski examination
4. Vigenère decode (guessed key)
```_

## Solución de problemas

### Cuestiones comunes

** Problemas de rendimiento:**

Large file processing

  • Use "Drop bytes" to reduce size
  • Process in chunks using "Split"
  • Disable auto-bake for large operations

Memory issues

  • Clear input/output regularly
  • Use streaming operations when available
  • Restart browser if memory usage high

** Cuestiones de codificación:**

Character encoding problems

  • Check input encoding (UTF-8, Latin1, etc.)
  • Use "Detect encoding" operation
  • Convert between encodings as needed

Binary data handling

  • Use hex input for binary data
  • Check byte order (little/big endian)
  • Verify file headers and signatures

**Receta Debugging: #

Debug failed recipes

  • Check each operation individually
  • Verify input format matches expected
  • Use "To Hex" to inspect intermediate results
  • Check operation parameters

Error messages

  • "Invalid input": Check data format
  • "Key length": Verify encryption key size
  • "Parse error": Check syntax for regex/JSON

### Buenas prácticas

** Desarrollo de la receta**

Start simple

  1. Test each operation individually
  2. Build recipe step by step
  3. Verify intermediate outputs
  4. Document recipe purpose

Error handling

  • Use "Drop bytes" to handle extra data
  • Add "Try" operations for uncertain steps
  • Include fallback operations

** Consideraciones de seguridad:**

Sensitive data handling

  • Use local installation for sensitive data
  • Clear browser cache after use
  • Avoid cloud-hosted instances for secrets
  • Use HTTPS for web access

Data validation

  • Verify output makes sense
  • Cross-check with other tools
  • Test with known good data
  • Document assumptions and limitations ```

" , "

Esta hoja de trampa completa de CyberChef cubre la transformación de datos, criptanálisis, forenses y técnicas de automatización para un análisis e investigación de seguridad eficaz.